Constantly Evolving MoonPeak RAT Linked to North Korean Spying

A threat actor with likely connections to North Korea's notorious Kimsuky group is distributing a new version of the open source XenoRAT information-stealing malware, using a complex infrastructure of command-and-control (C2) servers, staging systems, and test machines.

The variant, that researchers at Cisco Talos are tracking as MoonPeak after discovering it recently, is under active development and has been constantly evolving in little increments over the past few months — making detection and identification more challenging.

MoonPeak: A XenoRAT Variant

"While MoonPeak contains most of the functionalities of the original XenoRAT, our analysis observed consistent changes throughout the variants," Cisco Talos researchers Asheer Malhotra, Guilherme Venere, and Vitor Venturs said in a blog post this week. "That shows the threat actors are modifying and evolving the code independently from the open-source version," they noted.

XenoRAT is open source malware coded in C# that became available for free on GitHub last October. The Trojan packs multiple potent capabilities, including keylogging, features for User Access Control (UAC) bypass, and a Hidden Virtual Network Computing feature that allows a threat actors to surreptitiously use a compromised system at the same time as the victim.

Cisco Talos observed what it described as a "state-sponsored North Korean nexus of threat actors" tracked as UAT-5394, deploying MoonPeak in attacks earlier this year. The attacker's tactics, techniques, and procedures (TTPs) and its infrastructure have considerable overlap with the Kimsuky group, long known for its espionage activity targeting organizations in multiple sectors, especially nuclear weapons research and policy.

The overlaps led Cisco Talos to surmise that either the UAT-5394 activity cluster it observed was in fact Kimsuky itself, or another North Korean APT that used Kimsuky's infrastructure. In the absence of hard evidence, the security vendor has decided for the time being at least to track UAT-5394 as an independent North Korean advanced persistent threat (APT) group.

Constant MoonPeak Modifications

According to the Cisco Talos researchers, their analysis of MoonPeak showed the attackers making several modifications to the XenoRAT code while also retaining many of its core functions. Among the first modifications was to change the client namespace from "xeno rat client" to "cmdline" to ensure other XenoRAT variants would not work when connected to a MoonPeak server, Cisco Talos said.

"The namespace change prevents rogue implants from connecting to their infrastructure and furthermore prevents their own implants from connecting to out-of-box XenoRAT C2 servers," according to the blog post.

Other modifications appear to have been made to obfuscate the malware and make analysis harder. Among them was the use of a computation model called State Machines to perform malware execution asynchronously, making the program flow less linear and therefore harder to follow. Thus, the task of reverse engineering the malware becomes more challenging and time-consuming.

In addition to changes to the malware itself, Cisco Talos also observed the threat actor making continuous tweaks to its infrastructure. One of the most notable was in early June, soon after researchers at AhLabs reported on an earlier XenoRAT variant that UAT-5394 was using. The disclosure prompted the threat actor to stop using public cloud services for hosting its payloads, and instead move them to privately owned and controlled systems for C2, staging and testing its malware.

At least two of the servers that Cisco Talos observed UAT-5394 using appeared to be associated with other malware. In one instance, the security vendor observed a MoonPeak server connecting with a known C2 server for Quasar RAT, a malware tool associated with the Kimsuky group.

"An analysis of MoonPeak samples reveals an evolution in the malware and its corresponding C2 components that warranted the threat actors deploy their implant variants several times on their test machines," Cisco Talos researchers said. The goal, they added, appears to be to introduce just enough changes to make detection and identification harder while also ensuring that specific MoonPeak variants work only with specific C2 servers.